Lsof

lsof is a command meaning "list open files", which is used in many Unix-like systems to report a list of all open files and the processes that opened them. This open source utility was developed and supported by Victor A. Abell, the retired Associate Director of the Purdue University Computing Center. It works in and supports several Unix flavors.

A replacement for Linux, lsfd, is included in util-linux.

History
In 1985, Cliff Spencer publishes the ofiles command. Its man page says: "ofiles – who has a file open [...] displays the owner and id of any process accessing a specified device". Spencer compiled it for 4.2BSD and ULTRIX. Moreover, in the newsgroup net.unix-wizards, he further remarks: With all the chatter about dismounting active file systems, I have posted my program to indicate who is using a particular filesystem, "ofiles" to net.sources.

In 1988, the command fstat ("file status") appears as part of the 4.3BSD-Tahoe release. Its man page says: fstat identifies open files. A file is considered open if a process has it open, if it is the working directory for a process, or if it is an active pure text file. If no options are specified, fstat reports on all open files.

In 1989, in comp.sources.unix, Vic Abell publishes ports of the ofiles and fstat commands from 4.3BSD-Tahoe to "DYNIX 3.0.1[24] for Sequent Symmetry and Balance, SunOS 4.0 and ULTRIX 2.2". Various people had evolved and ported ofiles over the years. Abell contrasted the commands as follows: Fstat is similar to the ofiles program which I recently submitted. Like ofiles, fstat identifies open files. It's orientation differs slightly from that of ofiles: ofiles starts with a file name and paws through the proc and user structures to identify the file; fstat reads all the proc and user structures, displaying information in all files, optionally applying a few filters to the output (including a single file name filter.)

In combination with netstat -aA and grep, fstat will identify the process associated with a network connection, just as will ofiles.

In 1991, Vic Abell publishes lsof version 1.0 to comp.sources.unix. He notes: Lsof (for LiSt Open Files) lists files opened by processes on selected Unix systems. It is my answer to those who regularly ask me when I am going to make fstat (comp.sources.unix volume 18, number 107) or ofiles (volume 18, number 57) available on SunOS 4.1.1 or the like.

Lsof is a complete redesign of the fstat/ofiles series, based on the SunOS vnode model. Thus, it has been tested on AIX 3.1.[357], HP-UX [78].x, NeXTStep 2.[01], Sequent Dynix 3.0.12 and 3.1.2, and Sunos 4.1 and 4.1.1. Using available kernel access methods, such as nlist and kvm_read, lsof reads process table entries, user areas and file pointers to reach the underlying structures that describe files opened by processes.

In 2018, Vic Abbell publishes lsof version 4.92. The same year, he initiates the transfer of responsibility. He writes: I will reach 80 years of age later this year and I think it's time for me to end my work on general lsof revision releases. The lsof code is put on Github and maintenance is transferred.

Examples
Open files in the system include disk files, named pipes, network sockets and devices opened by all processes. One use for this command is when a disk cannot be unmounted because (unspecified) files are in use. The listing of open files can be consulted (suitably filtered if necessary) to identify the process that is using the files.

To view the port associated with a daemon:

From the above one can see that "sendmail" is listening on its standard port of "25".


 * -i: Lists IP sockets.
 * -n: Do not resolve hostnames (no DNS).
 * -P: Do not resolve port names (list port number instead of its name).

One can also list Unix Sockets by using.

Lsof output
The lsof output describes:
 * the identification number of the process (PID) that has opened the file;
 * the process group identification number (PGID) of the process (optional);
 * the process identification number of the parent process (PPID) (optional);
 * the command the process is executing;
 * the owner of the process;
 * for all files in use by the process, including the executing text file and the shared libraries it is using:
 * the file descriptor number of the file, if applicable;
 * the file's access mode;
 * the file's lock status;
 * the file's device numbers;
 * the file's inode number;
 * the file's size or offset;
 * the name of the file system containing the file;
 * any available components of the file's path name;
 * the names of the file's stream components;
 * the file's local and remote network addresses;
 * the TLI network (typically UDP) state of the file;
 * the TCP state, read queue length, and write queue length of the file;
 * the file's TCP window read and write lengths (Solaris only); and
 * other file or dialect-specific values.

For a complete list of options, see the Lsof(8) Linux manual page.